Responding to criticisms about OpenID: convenience, security and personal agency

Chris Dracket responded to one of my tweets the other day, saying that “OpenID should be dead… it’s way over-rated”. I’ve of course heard plenty of criticisms of OpenID, but hadn’t really heard that it was “overrated” (which implies that people have a higher opinion of OpenID than it merits).

Intrigued, I replied, asking him to elaborate, which he did via email:

I don’t know if overrated is the right word.. but I just don’t see OpenID ever catching on.. I think the main reason is that its too complex / scary of an idea for the normal user to understand and accept.

In my opinion the only way to make OpenID seem safe (for people who are worried about privacy online) is if the user has full control over the OpenID provider. While this is possible for people like you and me, my mom is never going to get to this point, and if she wants to use OpenID she is going to have to trust her sensitive data to AOL, MS, Google, etc. I think that people see giving this much “power” to a single provider as scary.

Lastly I think that OpenID is too complex to properly explain to someone and get them to use it. People understand usernames and passwords right away, and even OAuth, but OpenID in itself I think is too hard to grasp. I dunno, just a quick opinion.. I think there is a reason that we don’t have a single key on our key rings that opens our house, car, office and mailbox, not that that is a perfect/accurate analogy, but its close to how some people I’ve talked to think OpenID works.

Rather than respond privately, I asked whether it’d be okay if I posted his follow-up and replied on my blog. He obliged.

To summarize my interpretation of his points: OpenID is too complex and scary, potentially too insecure, and too confined to the hands of a few companies.

Convenience

OpenID should not be judged by today’s technological environment alone, but rather should be considered in the context of the migration to “cloud computing”, where people no longer access files on their local harddrive, but increasingly need to access data stored by web services.

All early technologies face criticism based on current trends and dominant behaviors, and OpenID is no different. At one time, people didn’t grok sending email between different services (in fact, you couldn’t). At one time, people didn’t grok IMing their AOL buddies using Google Talk (in fact, you couldn’t). At one time, you had one computer and your browser stored all of your passwords on the client-side (this is basically where we are today) and at one time, people accessed their photos, videos, and documents locally on their desktop (as is still the case for most people).

Cloud computing represents a shift in how people access and share data. Already, people rely less and less on physical media to store data and more and more on internet-based web services.

As a consequence, people will need a mechanism for referencing their data and services as convenient as the c: prompt. An OpenID, therefore, should become the referent people use to indicate where their data is “stored”.

An OpenID is not just about identification and blog comments; nor is it about reducing the number of passwords you have (that’s a by-product of user-centered design). Consider:

if you host your own blog or website, you will be able to provide your address and then prove it, because you are OpenID-enabled.

The long-term benefit of OpenID is being able to refer to all the facets of your online identity and data sources with one handy — ideally memorable — web-friendly identifier. Rather than relying on my email addresses alone to identify myself, I would use my OpenIDs, and link to all the things that represent me online: from my resume to my photos to my current projects to my friends, web services and so on.

The big picture of cloud computing points to OpenIDs simplifying how people access, share and connect data to people and services.

Security

I’ve heard many people complain that if your OpenID gets hacked, then you’re screwed. They claim that it’s like putting all your eggs in one basket.

But that’s really no different than your email account getting hacked. Since your email address is used to reset your password, any or all of your accounts could have their passwords reset and changed; worse, the password and the account email address could be changed, locking you out completely.

Furthermore, because securing your OpenID is outside of the purview of the spec, you can choose an OpenID provider (or set up your own) with a level of security that fits your needs. So while many OpenID providers currently stick with the traditional username and password combo, others offer more sophisticated approaches, from client-side certificates and hardware keys to biometrics and image-based password shields (as in the case of my employer, Vidoop).

One added benefit of OpenID is the ability to audit and manage access to your account, just as you do with a credit card account. This means that you have a record of every time someone (hopefully you!) signs in to one of your accounts with your OpenID, as well as how frequently sign-ins occur, from which IP addresses and on what devices. From a security perspective, this is a major advantage over basic usernames and passwords, as collecting this information from each service provider would prove inconvenient and time-consuming, if even possible.

Given this benefit, it’s worth considering that identity technologiesare being pushed on the government. If you’re worried about putting all your eggs in one basket, would you think differently if the government owned that basket?

OpenID won’t force anyone to change their current behavior, certainly not right away. But wouldn’t it be better to have the option to choose an alternative way to secure your accounts if you wanted it? OpenID starts with the status quo and, coupled with OAuth, provides an opportunity to make things better.

We’re not going to make online computing more secure overnight, but it seems like a prudent place to start.

Personal agency for web citizens

Looking over the landscape of existing social software applications, I see very few (if any) that could not be enhanced by OpenID support.

OpenID is a cornerstone technology of the emerging social web, and adds value anywhere users have profiles, accounts or need access to remote data.

Historically, we’ve seen similar attempts at providing a universal login account. Microsoft even got the name right with “Passport”, but screwed up the network model. Any identity system, if it’s going to succeed on the open web, needs to be designed with user choice at its core, in order to facilitate marketplace competition. A single-origin federated identity network will always fail on the internet (as Joseph Smarr and John McCrealike to say of Facebook Connect: We’ve seen this movie before).

As such, selecting an identity provider should not be relegated to a default choice. Where you come from (what I call provenance) has meaning.

For example, if you connect to a service using your Facebook account, the relying party can presume that the profile information that Facebook supplies will be authentic, since Facebook works hard to ferret out fake accounts from its network (unlike MySpace). Similarly, signing in with a Google Account provides a verified email address.

Just like the issuing country of your passport may say something about you to the immigration official reviewing your documents, the OpenID provider that you use may also say something about you to the relying party that you’re signing in to. It is therefore critical that people make an informed choice about who provides (and protects) their identity online, and that the enabling technologies are built with the option for individuals to vouch for themselves.

In the network model where anyone can host their own independent OpenID (just like anyone can set up their own email server), competition may thrive. Where competition thrives, an ecosystem may arise, developed under the rubric of market dynamics and Darwinian survivalism. And in this model, the individual is at the center, rather than the services he or she uses.

Final words

OpenID is not overrated, it’s just early. We’re just getting started with writing the rules of social software on the web, and we’ve got a lot of bad habits to correct.

As cloud computing goes mainstream (evidenced in part by the growing popularity of Netbooks this holiday season!), we’re going to need a consumer-facing technology and brand like OpenID to help unify this new, more virtualized world, in order to make it universally accessible.

Fortunately, as we stack more and more technologies and services on our OpenIDs, we can independently innovate the security layer, developing increasingly sophisticated solutions as necessary to make sure that only the right people have access to our accounts and our data.

It is with with these changes that we must evaluate OpenID — not as a technology for 2008’s problems — but as a formative building block for 2009 and the future of the social web.

19 thoughts on “Responding to criticisms about OpenID: convenience, security and personal agency”

Well said, dude. I think the “building block” aspect of OpenID is the one that is commonly misunderstood. It’s one I’ve tried to stress a lot in presentations and talks – using analogies such as your OpenID is akin to your passport / driver’s license number, etc. I’ve found slowly (but surely) lightbulbs are starting to go off within my small sphere of influence.

Hey, Chris, nice post! One point of clarification, when I invoke the “We’ve seen this movie before” analogy, I am making reference to something much bigger than Facebook Connect or any one company’s efforts. As in my recent keynote at the Open Stack meetup, linked here: http://therealmccrea.com/2008/12/24/my-keynote-address-at-last-weeks-open-stack-meetup/, you’ll see I’m talking about why so many companies are working together on the Open Stack. The “We’ve seen this movie before” is one of four reasons why companies like Google, Yahoo, MySpace, Plaxo, and so many others are working together…

This was what jumped out at me pretty much immediately:I think there is a reason that we don’t have a single key on our key rings that opens our house, car, office and mailbox, not that that is a perfect/accurate analogy, but its close to how some people I’ve talked to think OpenID works.

But it’s funny that most people have a single password (and typically username) in our keychains (lol Mac data management joke) for our e-mail, our blogs, our forums, and our social networks.

I sort of agree that OpenID is a poor solution. But I don’t think anything better is possible withing the current infrastructure. I think there needs to be an infrastructure upgrade, largely so people can easily have an identity tied to an identity provider they have full control over. I think that’s a killer issue with OpenID.

I agree with everything in your rebuttal. They are all good points. But the key feedback that motivated this post was that “normal users don’t get it” (the “it” being OpenID and not federated login in general) and your rebuttal didn’t address that.

The feedback is that normal users understand “Sign in with Facebook” or “Sign in with Yahoo”. On the contrary, they don’t understand “Sign in with OpenID”. OpenID as an underlying/hidden technology probably makes more sense. Just as in the corporate environment, you don’t message to users that they should “Sign in with SAML”.

Something that I think needs to be clarified, and which determines what role OpenID plays in the world, is whether it’s a “brand” or a “technology”?

It can’t be both, and the decision the Foundation adopts will greatly impact it. OpenID can be a brand for the technology like it currently is, but the attempts to make it a brand for single-sign are creating issues.

If it’s a brand, it means competing identity systems need to work under the brand. That’s a good thing, because OpenID is not suited for all situations. It also means we can tackle the challenge OpenID faces which is recognition and brand awareness, under a more unified effort.

But this is going against the very thing that OpenID is, which is a technology solution.

I think the solution for a lot of OpenID’s problems, is coming to grips with this identity problem (pardon the pun).

@Vinny: Hmm, you’re kind of right! Well, I guess I wanted to frame the argument that OpenID shouldn’t only be evaluated as a single sign-on solution, but as more than that… but today’s OpenID really only does one thing for you, and for many people, in a way that doesn’t make much sense… yet.

By demonstrating some of the benefits of OpenID in the future, I was trying to make the point that OpenID will make some tasks easier that are hard, and that those tasks will become increasingly common for people. As that occurs, the benefits of OpenID will be made more plain and will outweigh was is currently a somewhat cumbersome and confusing user experience.

In other words, the way OpenID authentication is done today isn’t actually that bad once you get used to it. However, unless or until you have many accounts keyed to your OpenID, you won’t see much benefit in using it (especially if you use 1Password or your browser password manager). It’s access to your data that OpenID will facilitate, and I think that the flow, given the web of today, will eventually make sense to people (not to mention that we can get browsers to support it better, etc).

@Elias: I completely disagree with you, and I disagree with Luke Shepard (Facebook) as well. OpenID is both a technology and needs to become more of a brand. I don’t understand why there’s a conflict there.

Blu-ray, Bluetooth, FireWire and USB are all technologies that also are strong brands (the former two obviously better examples). OpenID needs to be a strong, secure technology that people also can recognize and take some ownership of (“I know what my OpenID is”).

We did it with Firefox — granted to a limited extent — but still enabled a large number of web users to switch from the anonymous “Blue E” to something different. There will definitely be room for Google Friend Connect, Facebook Connect and a bunch of login buttons on websites, but long term, we need to have a strong OpenID brand in the mix as well, or else we end up creating the modern day equivalents of Ford, General Motors, Chrysler.

For me, “Open Stack” is what we’re using (so far, with all its foibles) to describe the technology behind, or in concert with, OpenID that makes it a viable competitor to Facebook Connect. OpenID is the brand that needs to become consumer-friendly if we’re going to see long term adoption. In Japan, OpenID was the third most popular buzzword used in IT media in 2008. If we keep moving in this direction, I think we’ll make good progress establishing and popularizing the OpenID brand.

No, you’re right Chris my bad. I guess I am still trying to place OpenID in the broader Identity world and my thoughts are a little jumbled.

Key will be to make the Open Stack ready. Facebook has won this round, but that’s a good thing – it’s driving adoption of the concepts and creating mass market awareness. History has proven empires and companies fail (no exceptions on that rule), so the Open Stack just needs to be ready to sweep when Facebook fumbles.

I think you haven’t adddressed my main criticism, and you actually give me a stricking proof of it by writing a beautifully revealing lapsus, and the end of the second list: “because you are OpenID-enabled.”

Read again: ‘you’, not ‘your website’.

I’m not afraid of you sticking a 3G-enabled, DNS-referenced, server-capable chip under the skin of my forearm, but I’ve been very concern by your prejudice for quite some time.

You associate someone and their website, i.e. a unique URL that they fully control. It’s fine for A- or B-list bloggers, people whose work focus on building a personnal, public, digital brand on-line, but not for most people. Most people efforts are not centered aroung designing content for a website, within a team so small and talented they control, know and trust all the elements on it and can be assured all the meta-info fit their individual goals for self-projection. You are making the same ethnocentric mistake Stallman does when he assumes the only thing most people want to change on their computer is knick and bolts within the OS (while a majority are far more insterested in the desktop image). With that focus, I can’t promiss you higher adoption figures then GPL among mass market.

The reason so many have argued in favor of e-mail identifiers instead of URL is because they identify with it far more.

Many web professionals have their details distributed among many URLs (and no intention to make it coherent on one site).

Far more non-geeks have hardly any information outside of a few corporately controlled silos, that they identify as the corporation far more then with themselves. If you want an example of that “it’s the company, not me” in case, consider the recent uproar on breast-feeding and Facebook: were the interns censoring profile pics responsible? Obviously not: they simply answered the explicit request to do so, from one of the mother’s *friend*. The fact that Facebook is a tool for social relations (not unlike the phone) appeared completely oblivious — and people are now helding a protest against AT&T because their mother-in-law use offensive language on the phone.

You feel that it’s natural to point at a website and say “This is me”. As long as the people on the board you were apopointed to do not understand this is not spontaneous, I predict OpenID might stall. Some people point at a house and say “This is me”; some point at a car; some might consider a song, or a film: maybe a cellphone. For those, their licence plates, their myspace ID, their nickname or their cellphone number is the obvious identifier. When I write “obvious”, please understand that I mean: autistic, unable to comprehend other people’s different representation of the world, “Please get a clue and realize I actually /happen to know several ‘John’s/own several computers/was given this cellphone by my boss, for professional use only”.

For me (and many of your friends I’m assuming) it’s more natural to point at a laptop and say “This is me”. My natural identifier is my MAC address, and I would love the world to have a MAC-based Wifi for all, including an automated enforced return of stolen property: it would be safer, more secure, more convenient, obviouly more intuitive and easier. My main concern, being conneted at any time, could be resolved for everyone, including those who share their computer, or have several, those who don’t care and have no clue what MAC is, or that it is an ideal identifier. And this dream would autistically focus on one type of identifier, a different one then OpenID.

The fact that the extract that I’ve taken is under “Convenience” makes it all the more painful to me.

Regarding the comment that you are addressing: I had the impression that Chris Drackett was considering *perception* of safety and simplicity, not actual issues. Throwing a four page long technical essay on how de-facto safe things are make it all the more confusing, and frightening. My girlfriend things a street next to her place is unsafe; as it happens, there is a (overstaffed) Police Station in that street — but, because the paint on the walls is scaling, she finds it scary. Don’t try to increase security by doubling the officiers’ shifts: try to find out what color would make it look more reassuring.

Jason, regarding the key analogy,

Actually, this can be the case with digital ID cards, used in Universities, Hotels and shot-term rentals: all the locks have a list of allowed users, and every user has a single, unique ID. Logs compared to camera make the actual safety system, but keys are being reconsidered in that way, at least in comprehensive living environment.

Bertil – it is probably not ideal using ‘autistic’ as a near synonym for ‘clueless’.

In fact I think we’ll see quite a few single-use OpenIDs, in the sense of you just go thru the OpenID UI dance just once, to prove that you control the relevant page/account, and then after that, things are as they were. Many discussions of OpenID assume every day use. But we can have many specialist OpenIDs for different aspects of our lives, some linked publically, some linked privately … it’s a pretty rich ecosystem with many options possible.

For example, I might want to prove to some other site that I’m the account holder for http://www.advogato.org/person/danbri/ (eg. to use the trust ratings in http://www.advogato.org/person/danbri/foaf.rdf or something similar in microformateze). There are various ways I might do this, eg. by logging in there and wiring up a blogroll to have rel=me pointer to another account. But logging in with my Advogato OpenID seems a simpler workflow. Right now they don’t offer OpenID over at Advogato, but since even simple delegation would do the job, I think there are good reasons to expect this to change.

Chris – nice writeup. I think the citizenship angle is well worth pushing and I’d be very happy to see the Foundation emphasise it more strongly. And w.r.t. eggs in one basket, the inbox=master key argument can’t be repeated often enough.

But that’s really no different than your email account getting hacked. Since your email address is used to reset your password, any or all of your accounts could have their passwords reset and changed; worse, the password and the account email address could be changed, locking you out completely.

At minimum, OpenID is no worse than the status quo.

There’s the problem. People want one final point where all their authentication is finalized. Chris Dracket was on to this when he suggested that people who cannot host their own OpenID solution would be reluctant to trust Yahoo, etc. But it’s not because it’s a third party big company. It’s because it doesn’t replace email as your “weakest link” point of ID verification.

A common usage model (more common than I think many of us want to think) for site validation, I fear, is this:
1) go to the site
2) “email me my password”
3) log in

Most people think of their email account as the center of their online universe, consciously or not. Unless you can get OpenID into people’s email clients you will always face the problem of people having to remember two passwords. Anything more than one is basically infinity.

Absolutely, which is why we’ve advocated for enabling email addresses as OpenIDs. Frankly, as long as you can verify it, it doesn’t matter if it’s a URL or an email address — it’s an ID of some sort!

I agree that the “email me my password” is pretty common. So is people forgetting their OpenIDs! Ideally if we can get folks in the habit of identifying themselves on a regular basis with one (or two) identifiers that are also OpenIDs, good things can come from that. Today there’s just too much fragmentation.

I thought I would take a moment and chime in to this conversation (albeit a bit late.)

In generally I totally agree that a system is needed to fill the rolls and functions that Chris Messina talks about above. I think my real beef against openID is one: that its early, just as Chris says.. and two that any “master key” needs to be extremely well thought out before presented to users.

My worry is that basic web users who see or try and learn about openID at this point in time are going to get confused or apprehensive and associate these feelings with the openID brand; This possibly could be negative to openID in the future.

I’m all for the fact the openID is currently out in the wild and evolving amongst us geeks. Maybe the problem is that this evolution and testing is taking place under the out-facing consumer brand? I’m not sure, but this thread has gotten me thinking about openID for the first time in a while. Which makes me glad I posted such a abrasive twitter reply to Chris 😉 (a post which was quite over dramatic.. such is twitter…

I’m pretty sure the reason multiple companies are involved isn’t because they just wanna get along; it’s because Facebook is killing all of them combined and their fearful of what the future will hold.

You guys pretend to be this open group of ideas that are sharing transparently with the public. “Anyone can contribute to our cause.” Bullshit. You (Plaxo, Google, Yahoo and MySpace) are merely pushing each others agenda and making decisions around how they’ll benefit each of you rather than how they benefit the community. This bullshit support of Google/Yahoo OpenID login buttons is a great example of that. Fuck Google. Fuck Yahoo. Those buttons aren’t what OpenID is about. It completely destroys its decentralization when an RP needs to pick and choose the OID providers they want to support.

You guys are full of shit and it’s too bad. I’d love to get behind you. Unfortunately you’re agenda is defined by your business and if either of you were in the position Facebook was, you’d be doing your own thing too.

On security: What if you’re using OpenID to log into your email providers web mailer? And that email is noted in your OpenID account? Then hacking your OpenID account will give an intruder access to both your OpenID and email account. Consequence: never ever, ever use OpenID to log into your email account. Someone should go and tell all email providers.
Apart from that, it really isn’t any less secure than what we have now. It could be even a little bit more secure: hacking one’s email account will probably tell on which sites someone is registered. Your OpenID account may not give someone any clue about this – depends on your OpenID provider, really.